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ICO Response to Welsh Government Consultation on Draft Additional 
Learning Needs Code 


The Information Commissioner (the Commissioner) is pleased to respond to the 
Draft Additional Learning Needs (ALN) Code. 


The Commissioner has responsibility for promoting and enforcing the EU General 
Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (DPA 2018) 
and other information rights legislation. 


The Commissioner is independent of government and upholds information rights 
in the public interest, promoting openness by public bodies and data privacy for 
individuals. The Commissioner does this by providing guidance to individuals and 
organisations, solving problems where she can, and taking appropriate action 
where the law is broken. 


Comment relating to all parts of your consultation 


The Commissioner notes that she is responding to a general public consultation 
and would remind the Welsh Government that under Article 36(4) of GDPR, 
Member States are required to ‘consult the supervisory authority during 
preparation of a proposal for a legislative measure to be adopted by a national 
parliament, or of a regulatory measure based on such a legislative measure, 
which relates to processing”. The matters covered within this public consultation 
appear to fall within scope of that statutory requirement for Welsh Government 
to consult the ICO. Guidance on the application of Article 36(4) has been 
published by DCMS. Paragraph 2.10 of the guidance states “Article 36(4) applies 
directly to the UK, and therefore the requirements of this provision also apply to 
legislative and statutory measures adopted by the devolved legislatures”. 
Notwithstanding comments contained in this response, the Welsh Government 
should ensure that it complies with Article 36(4) by consulting directly with the 
ICO as laid out in that Guidance. 


Comments on Part 1 of your consultation 


The Draft ALN Code clearly requires a considerable amount of processing of 
personal and special category data about children and their families. Special 
category data includes information revealing racial or ethnic origin, religious or 
philosophical beliefs, health or sexual orientation, among other issues less likely 
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to be relevant to this consultation. In addition Article 10 of GDPR provides for 
additional protections for the processing of any data relating to criminal offences. 


The Commissioner would emphasise that a significant proportion of the data 
required by these proposals relates to children, who are an inherently vulnerable 
group and whose data is given additional protections under GDPR and DPA 2018. 
Given the centrality of such data to the draft Code, the Commissioner would 
expect to see due consideration given to the data protection implications of the 
proposals. 


Therefore, a Data Protection Impact Assessment (DPIA) should be undertaken on 
the proposals to ensure that the desired aim of the policy is being achieved with 
the minimum necessary impact on individuals’ information rights. Our guidance 
on undertaking a DPIA can be found here. 


The various responsibilities set out in the Code for the assessment of needs and 
development and maintenance of interventions fall to local authorities, schools, 
further education institutes (FEIs), the NHS and a range of others who may be 
involved in providing support or professional advice in relation to the child. It 
therefore seems inadequate given the complexity of the proposals for the only 
reference to data protection in the draft code to be aimed at reminding the 
professionals involved to act in compliance the law (ALN Code para 7.65). 


The Commissioner believes that whilst Local Authorities, Health Boards and many 
FEIs have in house professional data protection support, capacity for data 
protection compliance in schools is often very low. The GDPR requires certain 
organisations, including maintained schools in Wales, to appoint a Data 
Protection Officer, part of whose role is to provide data protection advice to the 
organisation. The Code should remind schools and other public bodies on whom 
duties fall that they have relevant data protection responsibilities and should 
work with their Data Protection Officer to ensure the actions necessitated by the 
Code are taken forward in a compliant way. 


The Code could also usefully prompt organisations to think about the data 
protection rights of the child and those with parental responsibility - perhaps in 
Chapter 2 where there is considerable focus on taking a ‘Rights Based Approach’. 
The information rights set out in the GDPR and DPA 2018 give structure in the 
UK to the human right of privacy and respect for correspondence. 


Throughout the Code all organisations will need to bear in mind their 


responsibility to manage the personal information in compliance with data 
protection laws, and their responsibility to ensure the individual’s information 
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rights are respected. Individuals’ rights of particular relevance to this Code 
include: 

1. The right to be informed about how their data is being used by each 
organisation, and what their rights are with regard to that information. The 
GDPR ‘right to be informed’ includes a list of issues that must be included in 
what are called ‘privacy notices’. This includes providing child friendly 
versions of the notices wherever children’s data is used. Our guidance can 
be accessed here. 

2. Individuals also have rights to have incorrect / inadequate data rectified, 
and - unless an exemption applies - a right to access the data held about 
them. 

3. Depending on the circumstances, the individual may have a right to object 
to the use of their data for the particular purpose, and in some 
circumstances may even have a right to have it erased. 


Guidance on these and other individual rights under GDPR can be found here. 


All organisations undertaking functions under the Code will need to identify an 
appropriate lawful base under GDPR to legitimise the processing of the personal 
information. Under GDPR, for any use of personal information to be lawful it 
must comply with at least one of the ‘lawful bases’ set out in Article 6. If special 
category data is to be used, then in addition to an Article 6 basis a second basis 
from Article 9 will also be required, many of which are interpreted for the UK in 
DPA 2018. Where the personal information to be used relates to criminal issues 
then in addition to a lawful base in Article 6, the processing must also comply 
with Article 10 of the GDPR and relevant parts of DPA 2018. 


Given the complexity of the data exchanges proposed, it would be advisable for 
Welsh Government to undertake a data mapping exercise at this stage. One aim 
of this exercise should be to ensure that appropriate lawful bases for processing 
from GDPR Article 6 and where appropriate Articles 9 or 10 are available for use 
by the organisations being asked to undertake the functions. Schools and other 
smaller organisations involved in the assessment of need and development and 
maintenance of interventions will welcome guidance from Welsh Government on 
the lawful bases that they are likely to be able to rely on to deliver the tasks 
allotted to them under this Code. This need for guidance may be strongest for 
organisations and individual specialists who may be asked to provide information 
in response to requests made by those organisations taking forward their public 
tasks under this Code. 


Clarity will also need to be established on where ‘data controllership’ sits for the 
processes set out in the Code. This may fall to one organisation, or to a number 
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working in partnership. Under GDPR the ‘data controller’ is “the natural or legal 
person, public authority, agency or other body which, alone or jointly with 
others, determines the purposes and means of the processing of personal data” 
(Article 4(7)). Some organisations addressed by this Code are under a statutory 
obligation to process personal data for the purposes set out in the Code. Section 
6(2) of the DPA 2018 states that anyone who is under such an obligation and 
only processes the data to comply with it will be a controller. Clarity on data 
controllership will help ensure that the information rights of the individual can be 
properly coordinated and communicated. 


Another function of the proposed data mapping exercise would be to ascertain 
the extent to which the data sharing required by the Code is likely to involve 
either joint data controllership, or partnership working between separate data 
controllers. The Wales Accord on Sharing Personal Information (WASPI) toolkit 
may be a useful resource in these scenarios, and depending on what data sharing 
is identified through the data mapping, it may be that Welsh Government could 
bring together a group of relevant stakeholders to develop WASPI ALN template 
data sharing / data disclosure agreements that could be used by relevant 
organisations across Wales to support delivery of the functions set out in this 
Code. 


Comments on Part 4(c) of your consultation 


Paragraph 480 states ‘Authorities will need to satisfy themselves that they are 
complying with the Data Protection Act when sharing information’. The 
Commissioner recommends that this is updated to refer to The GDPR and DPA 
2018. It should also be amended to remind authorities to comply with these 
laws at all times when implementing the Code - the need to comply with data 
protection is not limited solely to data sharing circumstances. 


Comments on Part 5 of your consultation 


The Commissioner notes that an integrated impact assessment has been 
undertaken on the draft ALN Code, the ALN Coordinator Regulations and the 
draft Educational Tribunal for Wales Regulations. She notes that none of these 
impact assessments include any reference to data protection matters, or indicate 
that a separate DPIA has been undertaken. Whilst a DPIA by Welsh Government 
during the development of legislation and Regulations is not a statutory 
requirement, it would be good practice in identifying possible data protection 
problems in the policy proposals, and ensuring that mitigations are built in at an 
early stage. In addition, GDPR Article 35(10) allows that where a DPIA has been 
carried out in the development of law that regulates a specific set of processing 
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operations, the requirement on each data controller to undertake a DPIA before 
starting the relevant processing will not usually apply. Taking a ‘once for Wales’ 
approach to DPIAs in relation to Welsh Government legislation and Regulations 
would significantly reduce the duplication of work required by each affected data 
controller involved in implementing the policy. Such DPIAs could be developed 
through consultation with intended data controllers to ensure that their front line 
experience is reflected. 


OJ J. f 


David Teague 
Regional Manager (Wales) 
Information Commissioner's Office 


Cc: Helen Morris, Data Protection Officer, Welsh Government 
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